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@) Means for identification and exchange of encryption keys. 



(57) The invention relates to a means for identifi- 
cation and exchange of encryption keys be- 
tween communicating apparatuses for 
encrypted transmissions. The means comprises 
a card reader for smart cards connected to the 
communication apparatus which may be a tele- 
communication apparatus, e.g. of telephone or 
facsimile type. The reader can communicate 
with another reader at a called telecommuni- 
cation apparatus. For identification and 
exchange of encryption keys the required cal- 
culations are performed by the reader or the 
smart card using data stored on the smart card 
in a protected field with limited access. The 
means enable intercommunication between 
products of different makes owing to a standard 
identification procedure and exchange of en- 
cryption keys. 



A 



READER 



EXTERNAL 
APPARATUS 



D 



SMART 
CARD 



READER 



NETWORK 



B 



EXTERNAL 
APPARATUS 



< 

CO 
CO 

m 



D 



SMART 
CARD 



FIG 



LU 



Jouve, 18, rue Saint-Denis, 75001 PARIS 



EP 0 538 216 A1 



FIELD OF THE INVENTION 

The present invention relates to means for iden- 
tification and exchange of encryption keys between 
two communicating apparatuses for encrypted trans- 
missions, comprising readers connected to the com- 
munication apparatuses. Each reader contains a 
reader unit which together with software is capable of 
handling smart cards. The reader can communicate 
with another reader in the other communication ap- 
paratus. The means includes a built-in keyboard for 
inputting of data. 

STATE OF THE ART 

Existing products for encryption, facsimile appa- 
ratuses, telephone, etc., often follow standards with 
respect to communication and algorithms, but ex- 
clude intercommunication between two products of 
different makes. A cheap accessory for these and 
new products would enable different makes to inter- 
communicate through a standard identification pro- 
cedure and exchange of encryption keys. In addition, 
modern smart cards may be used in the procedures 
enabling strong algorithms and enhanced security. 

SUMMARY OF THE INVENTION 

The present invention provides a means for iden- 
tification and exchange of encryption keys between 
two communicating apparatuses for encrypted trans- 
missions. According to the invention a reader for 
smart cards is connected to each communication ap- 
paratus. The required calculations are performed by 
the reader or the smart card using data stored on the 
smart card in a proctected field with limited access. 

Preferably the communication apparatus is a fac- 
simile apparatus or a telephone. 

Further embodiments of the invention are set 
forth in detail in the accompanying claims. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The invention will now be described in detail with 
reference to the accompanying drawings in which the 
figure is a block diagram of the means according to 
the invention connected in a network. 

DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENTS OF THE INVENTION 

In the figure the means according to the inven- 
tion is shown connected in a network, e.g. a telecom- 
munication system. Between the external apparatus- 
es exist encrypted traffic. The external apparatuses 
may be telephone or facsimile apparatuses. For iden- 
tification and exchange of encryption keys two card 
readers are used communicating with each other. As 



a basis for the identification two smart cards are used 
which means that the identification is performed by 
the card (and its owner) and that the reader as such 
does not contain anything confidential. 
5 The reader may be connected in parallel) with a 

telephone to an ordinary telephone jack via a stan- 
dard intermediate plug (not shown). The reader con- 
tains a reader unit that, together with software func- 
tions, is capable of handling smart cards. The reader 

w can communicate through dual-tone mult ifrequency 
(DTMF) signalling or using a modem. In addition, it 
has a built-in keyboard for data input. The control of 
the reader is performed through anyone of the two 
communication channels available, using DTMF sig- 

15 nailing or modem. 

It is also possible to intergrate the telecommuni- 
cation apparatus and the card reader into a unit. In 
this case the unit has a single keyboard and a slot for 
inserting the smart card. 

20 The reader is controlled by a central unit. It is an 

eight bit central processing unit built for maximal inte- 
gration of the function of the card reader directly in 
the central unit. The central unit is made with CMOS 
technology warranting a low cur rent consumption, in- 

25 ternally there is random excess memory RAM having 
256 bytes which is sufficient for the functions to be 
performed by the reader. The machine code may be 
stored in a programmable read-only memory PROM 
or mask programmed directly in the central unit to 

30 minimize the current consumption and the price. 

The card reader is equipped with a built-in key- 
board containing 12 keys: the digits 0-9 and the char- 
acters * and #. The appearance corresponds to key- 
boards of ordinary telephones. The keyboard is con- 

35 nected directly to the central unit eliminating the risk 
of leakage of input information. 

The reader unit as such is intended for mounting 
directly on the circuit board which is important to min- 
imize the overall size and price of the construction. 

40 The reader unit is adapted for handling all smart cards 
in the market The reader unit is totally passive and 
is only a link between the card and the central unit. 
Via the reader unit the central unit can communicate 
with the card and assist with current supply and 

45 clock. Various supply voltages and clock frequencies 
are supplied to the card in dependence of which card 
is connected. 

The basic communication is achieved using 
DTMF signalling. The reader is provided with both 

so DTMF transmitter and receiver. The transfer rate is 
normally 10 characters (10x4 bits) per second. The 
DTMF receiver is connected in parallel with the ordi- 
nary telecommunication traffic which means that it 
can receive data both from the user's telephone and 

55 from the telecommunication network. 

Since DTMF signalling sets large limitations in 
the amount of data which can be transferred the read- 
er is also equipped with a built-in modem. The modem 
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can handle communication according to CCITT V.21 
and V.23, resulting in a transfer rate ranging to 1200 
bps. This provides a greater flexibility with respect to 
the functions to be performed by the reader. 

The reader is also fitted with a number of light- s 
emitting diodes (LED) in various colours, the func- 
tions of which will be described below. 

The reader is constructed from low current con- 
sumption components but the most current consum- 
ing component is the smart card. Since various cards w 
will be used no exact current consumption can be cal- 
culated. Additionally, the cards consume more cur- 
rent when they are written so that the current con- 
sumption varies with time. The current supply is pro- 
vided by a battery or a battery eliminator. With a 9 V 15 
alkaline battery a continuous operation of the reader 
of approximately 3-4 hours is achieved. One of the 
above-mentioned light-emitting diodes indicates low 
battery voltage and need for change of battery. 

When a card is inserted into the reading unit of 20 
the reader the reader is started automatically. When 
the card is pulled out the reader is switched off. Since 
smart cards are depedent of current supply from the 
reader they will return to idle position when pulled out 
of the reader unit. When the reader is started by in- 25 
serting a card in the reader unit a yellow light-emitting 
diode is lighted. The reader tests the card to identify 
the type of smart card being used. If a card is accept- 
ed the yellow LED is switched off and the reader is 
ready for use. This means that the reader proceeds 30 
to listen for DTMF signals sent from the called system. 
If the reader does not recognize the card as anyone 
of the accepted types the card is of an unknown type 
or turned the wrong way. Then a red LED is lighted 
and the reader waits for the card to being pulled out. 35 
Alt calls to the reader will then only give an error mes- 
sage as response. 

Using the keyboard the user can input data local- 
ly to the reader. The inputted information may then be 
used as data for a command to the card. The most 40 
common type of inputted information is a personal 
code which is to be tested in the card, but can also be 
another type of data, e.g. information to be encrypt- 
ed. None of the operations on the keyboard will be 
sent in clear text on the telephone line. The reader ac- 45 
cepts input from the keyboard after a command from 
the called system. When this is about to happen a 
green LED is lighted to indicate that the data is to be 
input The input is terminated with "#* and the green 
LED is switched off. When the LED is switched off no so 
manipulations on the keyboard will either be stored or 
sent on the line. 

In a connected mode the reader listens continu- 
ously on the data in the form of DTMF signals or via 
the modem being sent from the called system. When 55 
a start character is detected the reader perceives this 
as a start of a command. The telecommunication ap- 
paratus is then disconnected from the line and the 
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reader goes to a command mode. The reader now col- 
lects all data through the signal "#° indicating end of 
command. If there is a delay of more than one second 
between the various character the command is con- 
sidered lost and the reader returns to search for the 
start character. When the whole command is received 
it will be decoded and performed. After the command 
is performed the reader always sends back a re- 
sponse. Thereafter the telephone is again connected 
to the line and the reader returns to listening. How- 
ever, when the modem is connected the user will al- 
ways be disconnected from the line. From the mo- 
ment the reader has detected the start character until 
the reader has sent the whole response the yellow 
LED will be lighted. 

The reader always begins in DTMF mode, i.e. it 
listens for DTMF signals from the called system. By 
means of a command it is possible to change commu- 
nication channel and instead connect the modem. 
Thus, there is a number of various operation modes: 
DTMF signalling and signalling with a modem with va- 
rious transfer rates. The operation mode of the mo- 
dem can be changed during ongoing modem traffic by 
means of a new command on the modem line. This 
enables e.g. a change between 1 200/75 bps as trans- 
mission rate. The response to the command will al- 
ways be issued on the communication channel on 
which the command was sent, DTMF or modem. The 
change of communication channel or operation mode 
of the modem will not occur until after the response 
has been transmitted. 

By sending a command the reader can be re- 
quested to accept data from the user via the key- 
board. The green LED is lighted to indicate that input 
is to be performed on the key-board. The input is ter- 
minated by the user depressing the character #. The 
green LED is switched off when the input is terminat- 
ed. The user has maximally 30 seconds to input data. 
If the input is not terminated within this time period in- 
stead an error code is returned. This command is nor- 
mally used to accept the personal code which is to be 
used for opening the card connected. 

A command may be sent directly to the card con- 
nected. The reader awaits a response from the card 
and then returns it The reader waits maximally 30 
seconds for a response. After this time period instead 
an error code is returned. The reader only investi- 
gates the length of the command as a con troll that 
sufficient data has been transmitted. Besides this no 
check of the command is performed. It is the task of 
the calling system to see to it that the command fol- 
lows the specification of the connected card. 

If data has been inputted from the keyboard this 
may be sent to the connected card using a special 
command. The input data is stored in a buffer of the 
keyboard and is transmitted together with the com- 
mand to the card. Also in this case only the length of 
the data is checked in the keyboard buffer. The soft- 
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ware of the card reader is designed so that two read- 
ers can communicate with each other, and the reader 
is provided with a serial port. This serial port is used 
to deliver the result of the identification and the ex- 
change of encryption keys to the external unit. In 5 
other words, the reader is not used to perform the en- 
cryption as such but only for the exchange of keys. 

The means should be capable of performing 
identification of both parties in a communication and 
should additionally genereate encryption keys ex- 10 
changed between the systems. Identities and en- 
cryption keys are then delivered to the external ap- 
paratus for use. The external apparatus communi- 
cates with the card reader via an ordinary asynchron- 
ous serial port. The card reader is controlled via this 15 
interface to perform identification. The identity and 
the encryption key are also delivered here. The iden- 
tity of the user (the apparatus) is stored in smart card. 
This card is protected by a password which is de- 
clared using the keyboard of the card reader. The 20 
card is also used in calculating and testing the iden- 
tity. 

Every user gets a pair of keys, one open and one 
secret key in accordance with RSA (Rivest-Shamir- 
Adleman). These keys are then used for identification 25 
and exchange of keys. According to RSA the keys are 
preferably chosen in the manner below. 

Every user selects himself two large prime num- 
bers p and q and calculates n=pq. From the range 
[max(p.q) + 1,n - 1] a new number d is chosen and 30 
thereafter the number e is calculated. These two new 
numbers are to be used together with n in encryption 
and decryption, d should be a prime number and is 
selected according to certain criteria, wherein the se- 
lection has an importance for the strength of the al- 35 
gorithm. e is calculated as e=inv(d,0(n)t) (t=totient 
function), d and e then gives the two functions M=C d 
mod n and C=M° mod n, where M is a plain message 
and C is the encrypted correspondence thereof. To- 
gether this means M = O* mod n = (M° mod n) d mod 40 
n = M«* mod n = ... = M, i.e. the two functions are in- 
verses of each other. This means that one key (func- 
tion) for encryption and another for decryption are 
used. This is usually called asymmetric encryption. 

The above two functions may be denoted as 45 
C=E(M) and M=D(C), where E and D are the individ- 
ual users encryption and decryption transformations, 
respectively (or vice versa). E may be handed out, 
while D must be kept secret Both these transforma- 
tions (keys) are stored in the smart card of the user. so 
Additionally, D is stored in a way which excludes 
copying. 

In addition, two system constants, a and q, are 
stored on the smart card, a is a random number and 
q is a strong prime number (q = 2p + 1 , where p is a 55 
prime number). These two constants are used in cal- 
culating the key of the secondary encryption (see be- 
low). 



Every user has a card reader certificate, a digital 
identification. This certificate consists of four text 
fields, separated by semicolons. The entire certifi- 
cate is stored on the user's smart card. Thefourfields 
are: 

Identity : A string of any length consisting of al- 
pha-numeric characters. 

Public RSA key : This is in turn two fields, e and 
n (as mentioned above). These two fields are stored 
as long hexadecimal numbers, separated by a com- 
ma. 

Validity date of certificate : This is a text field 
with the form yyyy-mm-dd. 

A signature of the above : A hexadecimal num- 
ber calculated as shown below. 

A user's certificate is signed at a certification au- 
thority possessing two own transformations D s and 
E 9 , as shown above. Eg is generally known and re- 
sides in our case in the user's smart card. D s is ex- 
tremely secret, since D s is used to generate signa- 
tures for all cards. If someone other than the authority 
would use D s the whole reliability of the identification 
is lost. Therefore, D s is stored in a special smart card 
and is protected by a password. D 8 can never be read, 
but can only be used by the proprietor of the pass- 
word. This protection is today the best allowed by 
technology. 

A user, e.g. A, registers with the authority and re- 
ceives a signature S A =D 8 (MD(the user's certificate)). 
MD is a "Message Digest" function compressing the 
field in the certificate (excluding the signature field) 
to a short number This function is used to limit the 
calculation need of long (heavy) numbers. The.signa- 
ture received can then be verified by everybody 
knowing E s and is a proof of authenticity for the user's 
identity and public key. The signature is stored in the 
user's smart card together with the rest of the certif- 
icate. 

When the user A contacts user B they start with 
exchanging the respective identities, public keys as 
well as their signatures (certificates). Then A tests 
whether B and E B belong together by testing the sig- 
nature S B , i.e. if ES (S B )=MD (B's certificate). B does 
the same thing. In this way it is possible to learn if the 
claimed identity and the public key belong together. 

Aand B then select a random number each which 
is transmitted in plain text. The opposite party en- 
crypts this using its secret key, i.e. X=D(R), where R 
is the random number and X is the result. The result 
of the encryption is then re-transmitted, and the re- 
spective reader decrypts this with the public key of 
the other reader which was in the transmitted certif- 
icate. If the random number reappears after the de- 
cryption, one of the readers knows that the other 
reader is the proprietor of the public key, which was 
in the certificate. Since the certificate has been prov- 
en to belong to the alleged identity also the identity 
has now been verified. 
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The last step is exchanging the encryption keys. 
Each user generates a random number X and calcu- 
lates Y=a x mode q. a and q are two system constants 
and they are stored on the smart card. These Ys are 
exchanged between the readers, and reader A now s 
calculates K= Y B X A mod q=(a x B) x Amod q=a x B x Amod 
q. If B treats Y A in the corresponding way both A and 
B will now share the common key K. This key is then 
used for encryption in a secondary encryption. Since 
both parties have been involved in generating the key 10 
a disclosure of the keys of one party will not disclose 
K. In addition, by varying X for each session, two ses- 
sions will never have the same key. 

The various public keys should be readily avail- 
able to all needing, e.g. to test a signature e.g. in a di- 15 
rectory. 

A problem with directories is the protection of the 
contents of the directory. If someone is able to manip- 
ulate the public key and mislead those who utilize the 
directory to use the wrong key, this someone can act 20 
as if he was someone else, e.g. mask himself. It is 
possible to protect the directory from this by the di- 
rectory being physically and logically protected 
against manipulation. A secure communication chan- 
nel directory then provides an adequate protection 25 
against most invaders. 

However, a more elegant way is that the informa- 
tion in the directory in turn is signed by means of a 
digital signature. This is achieved by the individual re- 
cords being signed by a certification authority, which 30 
can be viewed in the same way as the authorities is- 
suing ordinary identifications who in fact warrant the 
authenticity of the identification. This authority 
should be responsible for the security of the system. 

The above description of the directory function 35 
works excellently e.g. in a computer network or in 
other environments where the communication is 
readily established. However, in many situations this 
is not possible. If e.g. two facsimile apparatuses are 
about to identify each other they must have direct ao 40 
cess to the public keys of each other. One way to 
solve this is that the various systems have the key di- 
rectories stored locally in a safe manner (e.g. in a 
smart card). The requirements on storage capacity 
may however be too large, but above all a problem 45 
arises when a new system comes into existence or 
when some system changes key/identity. Then every 
local directory has to be updated which can be a time- 
consuming procedure. In addition, there can be an in- 
terest in two systems being able to communicate wit h so 
each other without previous contact. It should be suf- 
ficient that both are approved by a common certifica- 
tion authority for communication with each other. 

The easiest way to solve this is letting the system 
exchanging their respective identities and the public 55 
keys with each other, signed by the common author- 
ity. Using this signature the various systems can 
check the authenticity of the identity of the others 



and the public key, without either previous or immedi- 
ate contact with a third party. The important thing 
here is the possibility of a safe identification. As no 
third party is involved in the identification moment 
the identification procedure must be able to establish 
the identity with a 100 percent certainty of both par- 
ties. Every "masquerade" attempt should be made 
impossible. 

All types of smart cards offer the possibility of 
protecting data fields using a personal code. These 
data fields may only be used by the proper user, the 
smart card not allowing access to these fields without 
the user having presented the right code. By protect- 
ing the key of the user's secret transformation in a 
public key system in such a data field, it is possible 
to presume with high reliability the authenticity of 
messages calculated using this transformation. 

The problems associated with the above are 
mainly two. Partly, the equipment reading the key 
from the card or later handling it should not be able 
to be manipulated. In addition, this equipment must 
have the calculation capacity required for calculate 
exponents and divisions (modulo) of long numbers in 
an acceptable time. The first problem can be handled 
by the equipment being made secure or at least pro- 
tected by the user in the same way as he/she protects 
his/her card. As the personal codes of the card often 
are handled in clear text inside this equipment this is 
another problem which has to be addressed. The cal- 
culation capacity may however be an even bigger 
problem, since the protection of the equipment only 
can be guaranteed relatively close to the card (in the 
card reader), where the calculation capacity often is 
limited. ^ 

One way to solve both problems simultaneously 
is to let the card as such take care of both the protec- 
tion of the key and the calculations. This is increas- 
ingly more common and today exists in at least two 
types of smart cards. However, dependent on the 
choice of identification method, other requirements 
may be put on the smart card. 

To perform an identification and exchange of 
keys at least five calculations of the type a* mod p are 
required. All five calculations are of the same type. In 
addition, this algorithm is built-in in at least two differ- 
ent commercially available smart cards. However, the 
cards differ as to the ability of calculating with gener- 
ally selected a, x and p. The most common RSA cal- 
culation is the one with the secret key (D), in which 
case a is d and p is n. In our case, this is only one of 
the five calculations. In the other cases both x and b 
are totally different numbers. 

Since the card reader is programmed to accept 
certain cards it is able to choose different methods of 
securing the identification. 

In the most preferred embodiment of the inven- 
tion the smart card calculates everything. In this type 
of card the secret part of the RSA key (e) is stored 



EP 0 538 21 6 A1 



10 



safely. In addition, the modulo variable n is stored 
permanently on the card, so that the card efficiently 
can perform a e mode n (Ej{) as mentioned above). Ad- 
ditionally, the card can be supplied with general argu- 
ments for the RSA algorithm. Since the card is espe- s 
cially designed for calculating with RSA this is the 
fastest method seen overall. One can assume that 
one calculation takes maximally one second and, 
thus, the whole phase of identification and exchange 
of encryption keys (overhead excluded) will take 10 
maximally five seconds. 

If the card is not capable of calculating using gen- 
eral arguments for the RSA algorithm the reader has 
to use its built-in algorithm for calculating everything 
else than E { (). This means no deterioration to the se- 15 
curity, since precisely E ( () is the only thing critical 
from the security point of view. However, this means 
a reduced efficiency. An RSA calculation in the card 
reader takes approximately ten seconds. Since three 
of the five calculations in this case has to be per- 20 
formed by the reader the whole procedure will take 
approximately 35 seconds. 

If the card is not capable of calculating with RSA 
at all the reader must take care of all the calculations. 
The variables (n and p) normally stored permanently 25 
in the card are read as data stored on the card in this 
method. The reader reads these variables from the 
card in calculating E|(). This means a substantial de- 
terioration of the security, since the identity of the 
card can be manipulated in this way. The card and the 30 
data thereof are however still protected by the pass- 
word of the card. This is also the least efficient meth- 
od. The total procedure for identification and ex- 
change of encryption key takes approximately 50 
seconds, which is experienced as annoyingly stow. 35 
The advantage is that any smart card can be used in 
this method. 

For the reader to be able to be used it has to be 
activated by inserting one's smart card in the reader. 
Using the keyboard the password is then inputted to 40 
the card, which is opened. Thereafter the reader is 
ready to receive commands through the serial port or 
as DTMF signals on the telephone line. If a command 
enters through the serial port the reader will take the 
initiative for identification of the other reader. A com- 45 
mand from the telephone line is the result of an initia- 
tive of the other reader. 

The card reader is provided with a serial port. 
This serial port may be very simple and is capable of 
transmitting and receiving data in 9600 bps asynchro- so 
nously, 8 data bits, no parity. 

The apparatus controls the reader to perform 
identification and generation of encryption keys. 
Since both operations occur simultaneously there is 
only one command for the apparatus to the reader. 55 
The reader transmits a status message to the appa- 
ratus simultaneously with the communication with 
the opposite reader and, after the identification and 



generation of encryption key, also the result 

Between the two readers communication is ac- 
complished by means of DTMF signalling and modem 
transmission. The DTMF signalling is used to gener- 
ate the initial contact. The reader that takes the ini- 
tiative transmits the DTMF sequence a A66#". The 
other reader responds with the sequence "B66#", 
whereupon both readers are switched over to modem 
communication. In modem mode the identification 
and exchange of encryption keys will be performed. 
The reader who took the first initiative begins with 
transmitting in modem mode. Thereafter, the readers 
are communicating alternatively with each other, un- 
til the entire procedure is performed. 



Claims 

1 . Means for identification and exchange of encryp- 
tion keys between two communicating appara- 
tuses for encrypted transmissions, characterized 
in that a reader for smart cards is connected to 
each communication apparatus, the required cal- 
culations being performed by the reader or the 
smart card using data stored on the smart card 
in a protected field with limited access. 

2. Means according to claim 1, characterized in 
that all the calculations are performed by the 
smart card. 

3. Means according to claim 1 or 2, characterized 
in that the reader is connected to the communi- 
cation apparatus via an asynchronous serial port. 

4. Means according to claim 3, characterized in 
that the communication apparatus is a facsimile 
apparatus or a telephone set 

5. Means according to any one of the preceding 
claims, characterized in that the communication 
between the readers is achieved by means of 
dual-tone multifrequency signalling and/or mo- 
dem communication. 

6. Means according to any one of the preceding 
claims, characterized in that the card reader is 
connected to the telecommunication system in 
parallel with the telephone set, preferably by 
means of an intermediate plug. 

7. Means according to any one of the preceding 
claims, characterized in that the card reader is 
integrated with the telephone set provided with a 
slot for inserting the card. 

8. Means according to any one of the preceding 
claims, characterized in that bidirectional com- 
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munication in several steps occurs between the 
communication apparatuses. 
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